rpm-ostree 2023.2 dropped the `rpm-ostree container-encapsulate` entrypoint.
Instead, we have to use `rpm-ostree compose container-encapsulate`.
Adjust the code that it selects the correct entrypoint based on the rpm-ostree
version.
Since the new stage now requires python-yaml, add it to the buildroot and
regenerate all manifests.
This commit changes these manifests to use the new fedora-vars.ipp and
fedora-build-v2.ipp infrastructure to remove all hardcoded Fedora versions.
Note that this is currently limited only to stage tests that already use v2
manifests. v1 manifests will come later.
Notes:
The buildroot needs additional packages: zstd and openscap-utils. Thus,
all manifests had to be regenerated.
GPG keys were added where missing.
The oscap.remediation stage now creates a bunch of files with timestamps in
their names under /var/lib/authselect/backups. Thus, the newly introduced
`added_directories` directive is used to handle them.
I reviewed all changes in `diff.json` files, and they all seem sane given
that we jumped 4 releases forward.
There hasn't ever been an official tool for this and everyone was just using
the output from the test to generate the diff. This commit introduces a proper
tool for generating these files.
This commit adds support for a new field in tree diffs fed to the stage tests.
This is useful when you care that a directory is added, but you don't care
about its content.
Since this is useful only for the expected tree diff, it's supported only
there. The actual tree diff doesn't support the new field.
This commit changes this manifest to use the new fedora-vars.ipp and
fedora-build-v2.ipp infrastructure to remove all hardcoded Fedora versions.
We are also able to remove the container manifests from the Makefile,
because they are no longer depending on the old f34-build-v2.json.
This commit changes this manifest to use the new fedora-vars.ipp and
fedora-build-v2.ipp infrastructure to remove all hardcoded Fedora versions.
An auto-generated ostree ref and isolabel was added to fedora-vars.
smc-meera-fonts was retired, so this commit changes it to rit-meera-new-fonts.
See
a8fe0d2620
icfg and reiserfs-utils are gone too, and they don't seem to be neccessary for
the image, so they were removed as well. Please correct me, if I am wrong.
What? I can just edit variables in one files and all(*) manifests get updated
content? That's impressive.
(*) We will be able to do all once we migrate all to the new format. For now,
the usual disclaimer applies:
This change is applied only to manifests based on fedora-build-v2 for now.
module_platform_id has a format of `platform:f34`. I have no idea why just
`f34` is used. Let's fix it.
This change is applied only to manifests based on fedora-build-v2 for now.
They are the same everywhere, we can just factor them out and save some bytes.
This change is applied only to manifests based on fedora-build-v2 for now.
Defining variables in the build pipeline is potentially dangerous, because
it can lead to the buildroot using a different package set than the other
pipelines.
Thus, this commit removes the variables from the build manifest. Since now on,
the variables must be defined before the build manifest is included.
Since the build manifest is no longer buildable on its own, let's remove it
from mpp.yaml to ipp.yaml. This is a convention set by the automotive team:
ipp manifests are not meant to be directly buildable, they are only useful
for embedding.
This is the second step of the conversion. All mpp.yaml json files were loaded
and dumped again with pyyaml. It was tweaked to keep the order of keys and to
save multi-line strings in the "flow" style. This was done, so the GPG keys
are kept on one line. Otherwise, they take up too much visual space.
There is no functional change in this commit.
osbuild-mpp supports yaml files. The advantage of yaml is that it's less
verbose and allows comments. This way, we can start documenting all the
test manifests in this repository.
This is the first step: This commit just renames the files, so we keep the
history intact. Remember: YAML is a super-set(*) of JSON, so this is fine.
There is no functional change in this commit.
(*) There are some caveats, but we don't need to care in this case.
We have a lot of copypasta of `def ostree()` but in this
case it's actually rpm-ostree, and we should be clear about that.
(Also in the future this code will need to change
to use the non-deprecated entrypoint, see
https://github.com/coreos/rpm-ostree/pull/4527 )
When developing or rebuilding manifests a lot it is common to want to
checkpoint everything to the store. It seems we all have small shell
scripts hanging around for this.
Let `--checkpoint` take a shell-like glob such as `--checkpoint="*"` to
checkpoint everything.
Note that there's a behavioral change here; previously `osbuild
--checkpoint=a` would error if that specific checkpoint wasn't found.
Now `osbuild` will only error if nothing was selected by the passed
globs.
`tox` is a standard testing tool for Python projects, this allows you to
test locally with all your installed Python version with the following
command:
`tox -m test -p all`
To run the tests in parallel for all supported Python versions.
To run linters or type analysis:
```
tox -m lint -p all
tox -m type -p all
```
This commit *also* disables the `import-error` warning from `pylint`,
not all Python versions have the system-installed Python libraries
available and they can't be fetched from PyPI.
Some linters have been added and the general order linters run in has
been changed. This allows for quicker test failure when running
`tox -m lint`. As a consequence the `test_pylint` test has been removed
as it's role can now be fulfilled by `tox`.
Other assorted linter fixes due to newer versions:
- use a str.join method (`consider-using-join`)
- fix various (newer) mypy and pylint issues
- comments starting with `#` and no space due to `autopep8`
This also changes our CI to use the new `tox` setup and on top of that
pins the versions of linters used. This might move into separate
requirements.txt files later on to allow for easier updating of those
dependencies.
The schemas allowed for `inputs` changed a while back; most new
manifests use a different format than what `osbuild-dev` initially
understood.
This adds all schemas.
Add a new stage to generate an OpenSCAP tailoring file. The stage
overrides a base OpenSCAP profile by enabling and disabling user
selected rules and creates a new profile name which can be used for
OpenSCAP scanning and remediation.
This will hopefully help debug problems when the signature check fails.
You need to manually take the hash and look it up in the manifest
sources list to figure out what package failed since this stage doesn't
have access to sources.
Anaconda has deprecated the `kickstart_modules` directive and instead
now has `activatable_`, `forbidden_`, and `optional_modules`. This is
available starting in Fedora 35.
This change allows frontend code (`osbuild-composer`) to put version
checks in place to write the correct keys.
This is a straightforward port of the UKI from Fedora to CentOS Stream.
Changes:
- Packages that does not exist in CS9 were removed:
- shim-ia32
- grub2-efi-ia32-cdboot
- btrfs-progs
- Squashfs compression was changed from lz4 to gzip, because lz4 for squashfs
isn't enabled in RHEL 9 kernel
Fedora and RHEL 9 kernels support it and since it's an interesting alternative
to other compression methods, we should support it in osbuild.
I also took the liberty of sorting the compression methods alphabetically.
Prior this commit, the arguments for the input service were passed inline.
However, jsoncomm uses the SOCK_SEQPACKET socket type underneath that has
a fixed maximum packet size. On my system, it's 212960 bytes. Unfortunately,
that's not enough for big inputs (e.g. when building packages with a lot
of rpms).
This commit moves all arguments to a temporary file. Then, just a file
descriptor is sent. Thus, we are now able to send arbitrarily sized args
for inputs, making osbuild work even for large image builds.
